Aging Retail Systems: Penny-Wise, Pound-Foolish?

Here’s why relying on aging, less secure technology can be a costly bet.

Email a friend

To

From

Thank you

Your message has been sent.

Sorry

There was an error emailing this page.

iStock/sb-borg

Retail businesses typically are low-margin operations, which is why they are often loath to invest in new technology for ongoing operations, or add to information security budgets. Two years after U.S. payment card networks shifted fraud liability from issuers to merchants, for example, half of retailers still shoulder the risk by using older, non-EMV payment terminals.

Understandably, retailers want to focus investments in areas that will increase customer engagement, as brick and mortar retailers confront the growing threat of online retailers. According to an annual RIS/Gartner Retail Technology Study, the top-rated challenge among retailers over the next three years is retiring legacy systems.

Retailers are focused on unified commerce, personalized marketing, and customer engagement, according to that same report. That means budgets are going to remain tight for investments in areas that don’t lead to results in these key areas.

Costly bets with aging equipment

But relying on aging, less secure technology could be a costly bet. In fact, many retailers are likely overlooking the security of network-attached printers that could provide unintended gateways into payment networks. And, as the Target point-of-sale (POS) data breach illustrated, any network access is good as gold to a cybercriminal.

According to a report in Krebs on Security, a Target-commissioned report following the breach indicates that “consultants were able to directly communicate with point-of-sale registers and servers from the core network. In one instance, they were able to communicate directly with cash registers in checkout lanes after compromising a deli meat scale located in a different store.”

Many retailers are incorporating innovative technologies such as mobile and social media into environments that are riddled with aging legacy equipment (such as outdated POS systems). In doing so, they may be opening greater outside access to internal systems that are difficult, if not impossible, to secure.

It’s probably a safe bet that most retailers have even less insight into their printer networks than their POS networks. A 2016 survey from research firm Quocirca found retailers lagging behind financial and professional services companies when it comes to security for their print infrastructure.

Ripe for exploitation

But those printers, sitting often unattended in open offices, may include operating systems, storage media, and software that are ripe for exploitation. Because they require little if any technical skills to operate, printers and other imaging devices are often overlooked in the security infrastructure. However, many of these devices incorporate software-implemented communications “ports” that provide potential points of vulnerability for criminals to exploit with internet protocols. Others have USB slots that could allow an attacker to upload malware to the network, collect sensitive data, and transmit it over the internet.

And it’s not just sophisticated cyber schemes that threaten the print environment. Documents left unattended in a printer output tray could allow a passerby to quickly scoop up confidential information, potentially causing compliance violations if customer data is involved.

Printers that require little more than the replacement of ink and paper may seem like low-priority risks, but in an era of constant threats, retailers need to look into upgrading devices that provide little in the way of security protection or, worse, provide relatively unfettered access to corporate networks as readily as a laptop or desktop computer.

In addition to tightening up security policies and implementing best practices, retailers can look to modern printers from HP that contain sophisticated technologies to make them active parts of the security defense. Today’s printers can incorporate continuous monitoring and intrusion detection; when malware is detected, they automatically reboot to prevent the execution of malware and can even self-heal the internal BIOS.